If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!

This is getting beyond my level of expertise, but what I'm saying is generating a password of five words is different to figuring out that the password actually has five words.

10^19 is just a lower bound for a 10,000 word dictionary. Counting variations of those words, whether it's a change in casing or a numerical substition, you have at least an order of magnitude more word choices for each word. There's no requirement for there to be syntactical or grammatical structure to the passphrase.

z/OS supports passphrases of 100 characters long, which may be 10 or 20 words long, which obviously has a greater space of valid passwords than the 20 character passwords boxes that some sites are adopting. A 20 word sentence is more memorizable than a 20 character random string let alone a 100 character random string.

But, and as I've repeatedly stated, if you use a password hash generator (plenty of free tools online) then you can have a memorable password and a secure password.

Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password "i like steak"
hash "osnews.com"
user "laurence"
and I would get a password of something like "fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==" for a sha512 encoding.

That's a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is "i like steak" for every site.

But, and as I've repeatedly stated, if you use a password hash generator (plenty of free tools online) then you can have a memorable password and a secure password.

Basically, find an online password hash generator, use the same password for every website / application and a salt being the site/app name. For example, using http://www.insidepro.com/hashes.php I could do the following:
password "i like steak"
hash "osnews.com"
user "laurence"
and I would get a password of something like "fK8dyanyjaLzEqohAixCjl+FbLbELvwphJPC0yce7xY7ZuO0TP4OBGZ/a/iqqvquh9Ht Q+5Pwcoq8nOa5rGlvQ==" for a sha512 encoding.

That's a random password which is 88 characters long, unique for each website and memorable (as all I need to remember is "i like steak" for every site.

That method is far more secure than using a passphrase.

I still fail to see how a cracker tool can tell, even with the information that a string is 88 characters long, that the user chose to go with a password hash and not a password phrase.

If a cracker tool is sophisticated enough to figure that out, it may as well be sophisticated enough to figure out which tool you used to generate your hash and what you put in as the parameters. It's a few more levels of indirection, but you've basically still used a passphrase. It's just the passphrase is for different data.